Pico HSM and Pico Fido firmware is open source and anyone can modify it. An attacker could create a malicious firmware and upload it to your Pico device if it is unattended.
Pico Tool
Raspberry Foundation provides a tool called Pico Tool that is able to retrieve your firmware and compare it with the original firmware it should be run. If there is a mismatch, it will complaint.
Steps
- Download, build and install Pico Tool from their repository.
- Put your Pico in BOOTSEL mode.
- Execute
$ picotool verify pico_hsm.uf2
And it will return OK if the firmware uploaded matches with the file you are comparing. If an attacker has modified your firmware, you will notice it easily.